CVE-2025-15138 – This vulnerability in TinyFileManager allows at... (How to Fix)

Q: What is the severity of CVE-2025-15138?

CVE-2025-15138 has a CVSS score of 4.7 (MEDIUM). This vulnerability in TinyFileManager allows attackers to perform path traversal attacks by manipulating the 'fullpath' parameter in tinyfilemanager.php. This could enable unauthorized file access or uploads. All users running TinyFileManager up to version 2.6 are affected.

📋 TL;DR

This vulnerability in TinyFileManager allows attackers to perform path traversal attacks by manipulating the 'fullpath' parameter in tinyfilemanager.php. This could enable unauthorized file access or uploads. All users running TinyFileManager up to version 2.6 are affected.

💻 Affected Systems

Products:

prasathmani TinyFileManager

Versions: Up to and including 2.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the core file manager functionality and affects all installations of affected versions.

📦 What is this software?

Tiny File Manager by Prasathmani

View all CVEs affecting Tiny File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through file upload combined with path traversal, potentially leading to complete system compromise.

🟠

Likely Case

Unauthorized file access, directory traversal, and potential file upload to arbitrary locations.

🟢

If Mitigated

Limited to file enumeration and read access if proper file permissions restrict write operations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been published online and the vulnerability is remotely exploitable without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 2.6 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation for fullpath Parameter

all

Add input validation to sanitize the fullpath parameter and prevent directory traversal sequences.

Edit tinyfilemanager.php and add path sanitization before processing fullpath parameter

Web Application Firewall Rules

all

Implement WAF rules to block directory traversal patterns in requests.

Add WAF rule to block requests containing '../', '..\', or similar traversal patterns

🧯 If You Can't Patch

Remove or disable TinyFileManager from internet-facing systems
Implement strict network access controls to limit access to TinyFileManager instances

🔍 How to Verify

Check if Vulnerable:

Check if TinyFileManager version is 2.6 or earlier by examining the software version in the interface or source files.

Check Version:

Check the version in tinyfilemanager.php header or configuration files

Verify Fix Applied:

Test path traversal attempts with payloads like '../../etc/passwd' in the fullpath parameter to verify they are blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' or '..\' patterns in parameters
Unusual file access patterns from web server process

Network Indicators:

HTTP requests with path traversal payloads in URL parameters

SIEM Query:

web.url:*../* OR web.param:*../*

📊 Metadata

CVE ID: CVE-2025-15138

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-22

EPSS Score: 0.23% exploit probability (45.7th percentile)

Published: December 28, 2025

Last Updated: December 31, 2025

🔗 References

https://mesquite-dream-86b.notion.site/tinyfilemanager-File-Upload-RCE-Report-2c7512562197800d86b3e68534a56a91 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.338516 Permissions Required,VDB Entry
https://vuldb.com/?id.338516 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.714177 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15138, you might also want to check these: